PT-2023-33030 · Facebook · Pytorch

Name of the Vulnerable Software and Affected Versions: pytorch/pytorch affected versions not specified Description: The filter-test-configs workflow in pytorch/pytorch is vulnerable to an expression injection in Actions. This allows an attacker to potentially leak secrets and alter the repository...

CVE-2023-34111 Command Injection Vulnerability in `Release PR Merged` Workflow in taosdata/grafanaplugin

The Release PR Merged workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of $ github.event.pullrequest.title in a bash command within the GitHub...

CVE-2023-34111 Command Injection Vulnerability in `Release PR Merged` Workflow in taosdata/grafanaplugin

The Release PR Merged workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of $ github.event.pullrequest.title in a bash command within the GitHub...

This Week in Spring - June 6th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! And what an insane week it's been! Long story short, I've spent 10-12 hours a day over the last five days migrating a dozen differnet applications and services from one GKE cluster to another, taking the time to update things...

GHSA-H3QR-39J9-4R5V Data written to GitHub Actions Cache may expose secrets

Impact This vulnerability impacts GitHub workflows using the Gradle Build Action that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets configured for the repository. Secrets configured for GitHub Actions are normally passed to the Gradle Build...

Data written to GitHub Actions Cache may expose secrets

Impact This vulnerability impacts GitHub workflows using the Gradle Build Action that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets configured for the repository. Secrets configured for GitHub Actions are normally passed to the Gradle Build...

CVE-2023-30853

Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets...

Default configuration

Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets...

CVE-2023-30853 Gradle Build Action data written to GitHub Actions Cache may expose secrets

Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets...

CVE-2023-30853

CVE-2023-30853 describes an information disclosure in the Gradle Build Action for GitHub Actions when the configuration cache is enabled in versions prior to 2.4.2. Environment variables passed to Gradle can be persisted into GitHub Actions cache entries, which may be read by untrusted workflows ...

CVE-2023-30853 Gradle Build Action data written to GitHub Actions Cache may expose secrets

Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets...

CVE-2023-30853 Gradle Build Action data written to GitHub Actions Cache may expose secrets

Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets...

PT-2023-23009 · Gradle +1 · Gradle Build Tool +1

Name of the Vulnerable Software and Affected Versions: Gradle Build Action versions prior to 2.4.2 Description: A vulnerability in the Gradle Build Action impacts GitHub workflows that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets configure...

Gradle 信息泄露漏洞

Gradle is a set of JVM-based project building tools from the US company Gradle, which supports maven, Ivy repositories and more. An information disclosure vulnerability exists in Gradle versions prior to 2.4.2, which stems from the fact that data stored in the GitHub Actions cache can be read by...

Malicious Package

Overview vscode-github-actions is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

MAL-2023-945 Malicious code in vscode-github-actions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d9186f60970b4228055c97ae3bbbf2c4691411f82c44db8033fc56d68cae50fa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in vscode-github-actions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d9186f60970b4228055c97ae3bbbf2c4691411f82c44db8033fc56d68cae50fa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Weblate: Testing flow includes a DeepSource secret

The testing workflow for the WeblateOrg/wlc repository included a DeepSource secret, which could have allowed a malicious actor to access parts of the repository and report artifacts to DeepSource. The recommended usage would have been to create a GitHub action environment secret and call it at...

GHSA-P756-RFXH-X63H Azure/setup-kubectl: Escalation of privilege vulnerability for v3 and lower

Impact This vulnerability only impacts versions v2 and lower. An insecure temporary creation of a file allows other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable. This Kubectl tool installer runs fs.chmodSynckubectlPath, 777 to set...

CVE-2022-46257

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploi...